[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

Chris Thompson cet1 at cam.ac.uk
Fri Apr 24 18:10:30 UTC 2009


On Apr 22 2009, Florian Weimer wrote:

>* Michael Graff:
[...]
>> How many more weeks do you think we should delay re-adding .gov to
>> dlv.isc.org?  And what, specifically, do you suggest be the all-clear
>> trigger?
>
>A working signed delegation for nist.gov (or any other child zone).

We can tell that there *are* signed delegations from gov, even if we
don't know what they are. "Working" is, I suppose, more difficult to
judge.

I collected a sample of 1271 NSEC3 records from the gov zone by random
probing. (I guesstimate that I have very roughly half of them.) Of these
10 indicated the existence of a DS record, e.g. 

5066E5JAKAO44M42VQK68BTJBEVGFFK9.gov. 10800 IN NSEC3 (
  1 0 10 ABAB 50JLCITE3VVN0BUAUC0G5RJVO62P7DVU NS DS RRSIG )

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.




More information about the dns-operations mailing list